tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Schulz <Sch...@Devcon-Mail.de>
Subject AW: TomCat - IIS - Security
Date Tue, 27 Feb 2001 22:36:48 GMT
Hello Randy,

how can we tell TomCat to perfom user authentication using NT mechnism
(NTLM) ? And, if we want to protect

"ourserver/secretfolder" with permissions for user "foo" and user "bar",
but
"ourserver/secretfolder/moresecret" with permissions for user "bar", how
could that be possible ?

Bye

	Christian

-----Urspr√ľngliche Nachricht-----
Von: Randy Layman [mailto:randy.layman@aswethink.com]
Gesendet: Dienstag, 27. Februar 2001 13:57
An: tomcat-user@jakarta.apache.org
Betreff: RE: TomCat - IIS - Security



	This seems perfectly reasonable to me - you told IIS to protect
everything it serves our of outserver/secrectfolder and have apparently not
told Tomcat to protect this webapp.  If you want to protect all JSPs then
you can protect the /jakarta directory, or you could configure Tomcat to
perform user authentication.

	Randy

-----Original Message-----
From: Christian Schulz [mailto:Schulz@Devcon-Mail.de]
Sent: Tuesday, February 27, 2001 8:17 AM
To: 'tomcat-user@jakarta.apache.org'
Cc: Thomas Dingel
Subject: TomCat - IIS - Security
Importance: High


Hello, 
when using Tomcat with IIS, we have a security hole. 
We installed Tomcat as descriped at the documentation. 
The following scenario will show our problem: 
We have a folder named reachable as http://outserver/secretfolder/ with NT
Security permissions set. 
The folder "secretfolder" can only be read by the system and by a user named
"foo". Now, without tomcat, the user "foo" can access the contents of the
folder "secretfolder", all other users will get "access denied". We use NTLM
for authentification (so the browser [IE 5.x] automatically send the current
NT user's account to the webserver).
Now, we put a file named "testme.jsp" to "secretfolder" and try to open it
from an NT User's account named "bar". The IIS now redirects to TomCat
without checking any permissions and tomcat returns the result of
"testme.jsp". But, in our opinion, this should not happen !!!
The user "bar" also has to get an error "access denied" ! So, TomCat
bypasses NT Security ! 
Does anybody have a solution for that ? 
Bye bye 
  Christian Schulz 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, email: tomcat-user-help@jakarta.apache.org


Mime
View raw message